Chapter 3 Playgrounds to Battlegrounds

concludes "Tomorrow's terrorist may be able to do more with a keyboard than with a bomb." 92

In a 1997 paper, Collin describes several possible scenarios. In one, a cyber- terrorist hacks into the processing control system of a cereal manufacturer and changes the levels of iron supplement. A nation of children get sick and die. In another, the cyberterrorist attacks the next generation of air traffic control systems. Two large civilian aircraft collide. In a third, the cyberterrorist disrupts banks, international financial transactions, and stock exchanges. Economic systems grind to a halt, the public loses confidence, and destabilization is achieved.93

Analyzing the plausibility of Collin's hypothetical attacks, Pollitt concludes that there is sufficient human involvement in the control processes used today that cyberterrorism does not-at present-pose a significant risk in the classical sense. In the cereal contamination scenario, for example, he argues that the quantity of iron ( or any other nutritious substance) that would be required to become toxic is so large that assembly line workers would notice. They would run out of iron on the assembly line and the product would taste different and not good. In the air traffic control scenario, humans in the loop would notice the problems and take corrective action. Pilots, he says, are trained to be aware of the situation, to catch errors made by air traffic controllers, and to operate in the absence of any air traffic control at all.94 Pollitt does not imply by his analysis that computers ate safe and free from vulnerability. To the contrary, his argument is that despite these vulnerabilities, because humans are in the loop, a cyber attack is unlikely to have such devastating consequences. He concludes that " As we build more and more technology into our civilization, v\Te must ensure that there is sufficient human oversight and intervention to safeguard those whom technology serves. At least two independent studies have suggested that financial systems are vulnerable to an information warfare attack by terrorists or other hostile parties. One, by Tom Manzi, argues that the Clearing House Interbank Payment System (CHIPS) or the Fedwire funds transfer system operated by the Federal Reserve System could be knocked out for an extended period of time by a physical attack that uses a combination of car bombs and electromagnetic weapons.95 Another, by Air Force Cadet Edward Browne, argues that the systems are well protected physically but that CHIPS is vulnerable to an attack that exploits the daily lag of credits against debits.96 Brian S. Bigelow, a major in the U.S. Air Force, dismisses both scenarios, arguing that they do not hold water when tested against the real conditions in the financial industry. Like Pollitt, Bigelow argues that there are substantial checks and balances in these systems. "Both Browne's and Manzi's scenarios illustrate the suspension of disbelief that undermines the credibility of many infowar discussions. The use of computers and networks undeniably creates vulnerabilities, but to say this makes them the Achilles' heel of the financial

Playgrounds to Battlegrounds 71

services infrastructure is to ignore the very considerable measures institutions have taken to manage their information systems risks."97

Telecommunications systems have suffered numerous outages but so far none that induced more than temporary hardship. The May 1998 satellite out- age illustrates. When the PanAmSat Corp. satellite spun out of control on Tuesday evening, May 19, it crippled most u.s. paging services as well as some data and media feed. The company immediately began shifting signals onto other PanAmSat satellites, while doctors, nurses, and police officers switched to alter- native technologies such as walkie-talkies, portable radios, and cellular telephone,~. National Public Radio began distributing All Things Considered via phone lines and a RealAudio feed on its Web site. By Thursday morning, 75% of businesses that depended on the satellite had been assigned alternative bandwidth. PageNet, the largest pager service in the country, said 85% of their 10.4 million customers had working beepers by Thursday and that the rest were expected to be operational by Friday. According to the Washington Times, "no one was re- ported seriously injured by the satellite's failure. There were no howls from Wall Street about lost deals." 98

In an article titled "How Many Terrorists Fit on a Computer Keyboard?" William Church presents a strong case that the United States does not yet face a compelling threat from terrorists using information warfare techniques to dis- rupt critical infrastructure. They lack either the motivation, capabilities, or skills to pull off a cyber attack at this time. Church does not rule out a physical attack against the infrastructure, but such a threat is neither new nor matured by U.S. reliance on technology.99 In another essay, Church includes terrorists in his list of information warfare threats against the United States. In decreasing priority, the threats are organized crime (financial fraud and extortion), individual hacker terrorism, politically oriented nongovernment organizations, physically violent terrorist groups, and finally other states. 100 Clark Staten testified that it was believed that "members of some Islamic extremist organizations have been at - tempting to develop a 'hacker network' to support their computer activities and even engage in offensive information warfare attacks in the future." 10l

Early indicators suggest that terrorist groups may use the Internet more to influence public perception and coordinate their activities than to launch highly destructive and disruptive attacks, at least against the Net itself. The Internet is likely to have greater value to them when it is fully operational. If that is the case, then it will also be in their interest to keep the supporting infrastructures running, including those for telecommunications and power .

At least for the time being, the terrorist threat from bombs and weapons of mass destruction, particularly chemical and biological weapons, may be greater than from cyber at tacks. 102 The effects are likely to be more violent and have a greater psychological impact than anything that can be accomplished in

cyberspace. Further, there is more uncertainty associated with cyber attacks. It is easier to predict the damages from a well-placed bomb than from shutting down computer systems, releasing a virus, or tampering with electronic files. So far, the most destructive attacks have been perpetrated by hackers fooling around or protesting policies and by persons seeking revenge against their former employers. None of these have caused fatalities.

Cyber attacks may be used as an ancillary tool in support of other operations-just as they may support, but not replace, more conventional military operations. To illustrate, in early 1998, a design flaw was reported in a security badge system used widely in airports, state prisons, financial institutions, military contractors, government agencies (including the CIA), and high-tech companies. The vulnerability would have allowed an intruder to use a dial-up line or network connection to create permanent or temporary badges for gaining access to secured areas, unlock doors guarding sensitive areas, schedule events such as unlocking all doors at a particular time, and create badges that left no record of a person entering and leaving a secured area.1O3 One can imagine a terrorist group attempting to exploit such a vulnerability as part of a larger operation to penetrate airport security. That done, explosives might be hidden on board an aircraft.

None of this is to say that a catastrophic cyber attack cannot and will not occur .The future cannot be predicted, and an attack might proceed in ways that have not been anticipated. Thus, it is worth taking steps to ensure that critical infrastructures are sufficiently hardened to defeat an adversary, whether a terrorist, foreign government, hacker, or high-tech thief. It is also worth constructing scenarios such as those postulated by Collin, Manzi, Browne, and others as they offer a powerful tool for discovering and analyzing potential vulnerabilities and threats.

At the same time they introduced the concept of cyberwar to think about military operations conducted according to information-related principles, Arquilla and Ronfeldt introduced "netwar" to think about information-related struggles most often associated with low-intensity conflict by nonstate actors, including nongovernment organizations (NGOs) .They predict that future conflicts will be fought by groups that are organized more as networks than as hierarchies. They argue that networks can defeat institutions and that hierarchies have a difficult time fighting networks. They are particularly interested in "all-channel networks," in which every node can communicate with every other node. This type of network is a natural outgrowth of modern technologies, particularly the Inter- net, which offer easy connectivity between any two entities. Arquilla and Ronfeldt believe the network form to be one of the most significant effects of the

held in Liz, Austria. According to Brett Stalbaum, author of the FloodNet software used in the attack, the Pentagon was chosen because "we believe that the U.S. military trained the soldiers carrying out the human rights abuses." Stalbaum said the Frankfurt Stock Exchange was selected because it represented globalization, which was at the root of the Chiapas' problems. EDT estimated that up to 10,000 people participated in the demonstration, delivering 600,000 hits per minute to each of the three sites. The Web servers operated by the Pentagon and Mexican government, however, struck back. When they sensed an attack from the FloodNet servers, they opened window after window in the users' browsers, in some cases forcing the protestors to reboot their computers. The Frankfurt Stock Exchange reported that they normally get 6 million hits a day and that services appeared unaffected. 107

This example adds further support to the notion that the Internet may prove more valuable as a means of influencing public opinion and coordinating activity than as a target of destructive operations. Individual nodes on the Inter- net may be attacked, but doing so requires that the infrastructure itself remain intact.

Protecting National Infrastructures

The U.S. government has taken several steps to defend national information infrastructures. Although it is beyond the scope of this book to cover all of them, two are particularly noteworthy and referenced in later chapters. The first was the formation of a Computer Emergency Response Team Coordination Center (CERT /CC) at Carnegie- Mellon University. CERT /CC was established in 1988 following a major incident on the Internet that disrupted thousands of computers ( see the Internet Worm in Chapter 10). The Department of Defense Advanced Research Projects Agency, which founded the Internet, created the CERT /CC so that the United States would be better prepared for future incidents. CERT /CC was to offer a 24-hour point of contact and a central point for identifying vulnerabilities and working with the vendor community to resolve them.

Since the creation of CERT, numerous other incident-handling and response centers have been created within the federal government, including the Department of Energy's Computer Incident Advisory Capability ( CIAC) and the Defense Information Systems Agency's ASSIST. In 1989, the Forum of Incident Response and Security Teams (FIRST) was established to facilitate information exchange and coordination among these centers. These efforts led to the formation of a Federal Computer Incident Response Center (FedCIRC), which pro- vides a government-wide incident response capability on a subscription basis.lo8

The second was the formation of the President's Commission on Critical Infrastructure Protection (PCCIP) in July 1996. The PCCIP was asked to study

the critical infrastructures that constitute the life support systems of the nation, determine their vulnerabilities to a wide range of threats, and propose a strategy for protecting them in the future. Eight infrastructures were identified: telecommunications, banking and finance, electrical power, oil and gas distribution and storage, water supply, transportation, emergency services, and government services. In their final report, issued in October 1997, the commission reported that the threats to critical infrastructures were real and that, through mutual dependence and interconnectedness, they could be vulnerable in new ways. "Intentional exploitation of these new vulnerabilities could have severe consequences for our economy, security, and way of life."

The PCCIP noted that cyber threats have changed the landscape. "In the past we have been protected from hostile attacks on the infrastructures by broad oceans and friendly neighbors. Today, the evolution of cyber threats has changed the situation dramatically. In cyberspace, national borders are no longer relevant. Electrons don't stop to show passports. Potentially serious cyber attacks can be conceived and planned without detectable logistic preparation. They can be in- visibly reconnoitered, clandestinely rehearsed, and then mounted in a matter of minutes or even seconds without revealing the identity and location of the attacker."109

In assessing the threat from both physical and cyber attacks, the PCCIP concluded that "Physical means to exploit physical vulnerabilities probably re- main the most worrisome threat to our infrastructures today. But almost every group we met voiced concerns about the new cyber vulnerabilities and threats. They emphasized the importance of developing approaches to protecting our infrastructures against cyber threats before they materialize and produce major sys- tem damage." 110 The recommendations of the PCCIP are summarized in the last chapter of this book along with follow-on initiatives, including the establishment of the National Infrastructure Protection Center (NIPC) and Presidential Decision Directive (PDD) 63.